b6d4d85540bf70ac43b05ed94efc8f021d07526a56543f06dae986337e3d84e2

General

Target

b6d4d85540bf70ac43b05ed94efc8f021d07526a56543f06dae986337e3d84e2.dll
Size

864KB
MD5

aee9d12ec17e9fc250cfb56f9a530e36
SHA1

509405a33897700ee9d294c92397b352288ab342
SHA256

b6d4d85540bf70ac43b05ed94efc8f021d07526a56543f06dae986337e3d84e2
SHA512

4b75e0bf47e41b984bba62259e770e54963c141c71bfcc6a0bbc36068a37fadcef9c9d5177192dd544e060440fa51eb532780e4850d57aedce98764a64c96d46
SSDEEP

24576:SMkuNMkBhiyJRwQnN2K3yWds0JkKyVx+HNrUQRqM8:rkuNMkTialcadsLz+tgQM

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

rundll32.exe

description ioc process

File opened for modification \??\PhysicalDrive0 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

756 1680 WerFault.exe rundll32.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

pid	pid_target	process	target process
756	1680	WerFault.exe	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b053633b4c09d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fb3264c7590277488e725a3bd12bfc7600000000020000000000106600000001000020000000cbbdf46d08743d67a11e71e4773bbfdc2c182e58d70d638dbdd2a557615e34c9000000000e8000000002000020000000f1234e4c73794d1a32376e8d38dd40886677c6ea2284593a572e0f7ea5bb61af200000007191694dff587ae3b87ba30211ec0effc1940d73ce4b0338318603f1bb07bf9f400000009de3d0eacdcd6c2f2e2e6e36a11986f01f32d6b7f8716d51120891988b9d974af224c9f8440c3a1f4ffbbd0456d677329e21e539669af487c6dcee9b4561882d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5C419A11-753F-11ED-8AB9-FAB5137186BE} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fb3264c7590277488e725a3bd12bfc7600000000020000000000106600000001000020000000221e0847c8a96f4120d9a5f8a67abacc26baf1e15cdc059870a37f6aff52c4e6000000000e800000000200002000000055f351be9d8de703c3d4f73a6700b551affb97e9c9fd5a72ea355309e3d6385490000000d5ae10ca120e2591bd62018d62a7c7f271bdf5d0d90476762cbd18058347f2b5f9b7c71c932f19bb713cdf7f098ec7f94900c35c7ac78d0b9e2902a4ac347e88d6391bb65f0ca634d206836b2b6e36382868b6bc88884f7bacf5f0026b4453353da04b479df0c82cfd27df5f6c9ce575979970d31dfa26cb3ac0290eb2f96d7b91fb6afa2c11b4cd0027b78342e689324000000066e8519400a32a9ebbe06fdf4fe476c677b1753d40985eb5d926f841a344c9354017c8ecc51d9870841914dd25350cb7a25d0f6cc1c11cbfa2f7287360ead3a5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377080029"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Modifies registry class 3 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1928 iexplore.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

rundll32.exeiexplore.exeIEXPLORE.EXE

pid process

1680 rundll32.exe
1928 iexplore.exe
1928 iexplore.exe
888 IEXPLORE.EXE
888 IEXPLORE.EXE

pid	process
1928	iexplore.exe

pid	process
1680	rundll32.exe
1928	iexplore.exe
1928	iexplore.exe
888	IEXPLORE.EXE
888	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.execmd.exeiexplore.exe

description	pid	process	target process
PID 1372 wrote to memory of 1680	1372	rundll32.exe	rundll32.exe
PID 1372 wrote to memory of 1680	1372	rundll32.exe	rundll32.exe
PID 1372 wrote to memory of 1680	1372	rundll32.exe	rundll32.exe
PID 1372 wrote to memory of 1680	1372	rundll32.exe	rundll32.exe
PID 1372 wrote to memory of 1680	1372	rundll32.exe	rundll32.exe
PID 1372 wrote to memory of 1680	1372	rundll32.exe	rundll32.exe
PID 1372 wrote to memory of 1680	1372	rundll32.exe	rundll32.exe
PID 1680 wrote to memory of 1708	1680	rundll32.exe	cmd.exe
PID 1680 wrote to memory of 1708	1680	rundll32.exe	cmd.exe
PID 1680 wrote to memory of 1708	1680	rundll32.exe	cmd.exe
PID 1680 wrote to memory of 1708	1680	rundll32.exe	cmd.exe
PID 1708 wrote to memory of 1928	1708	cmd.exe	iexplore.exe
PID 1708 wrote to memory of 1928	1708	cmd.exe	iexplore.exe
PID 1708 wrote to memory of 1928	1708	cmd.exe	iexplore.exe
PID 1708 wrote to memory of 1928	1708	cmd.exe	iexplore.exe
PID 1928 wrote to memory of 888	1928	iexplore.exe	IEXPLORE.EXE
PID 1928 wrote to memory of 888	1928	iexplore.exe	IEXPLORE.EXE
PID 1928 wrote to memory of 888	1928	iexplore.exe	IEXPLORE.EXE
PID 1928 wrote to memory of 888	1928	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 756	1680	rundll32.exe	WerFault.exe
PID 1680 wrote to memory of 756	1680	rundll32.exe	WerFault.exe
PID 1680 wrote to memory of 756	1680	rundll32.exe	WerFault.exe
PID 1680 wrote to memory of 756	1680	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b6d4d85540bf70ac43b05ed94efc8f021d07526a56543f06dae986337e3d84e2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b6d4d85540bf70ac43b05ed94efc8f021d07526a56543f06dae986337e3d84e2.dll,#1
2⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start http://www.pekalongan-community.com/
3⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.pekalongan-community.com/
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1928 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 432
3⤵
- Program crash
PID:756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LIX27CIM.txt
Filesize
608B

MD5
2bb1922f86b8fca67711ef9dab62893b

SHA1
9222c41a59d0bb6315d2916d691a7087eb55fa4c

SHA256
918552742408e1830c5e1a1d37e32d6027cdc4dc148411b9f7f7e167e88cb511

SHA512
1527de14b7312f41d3c5fb18bde6382591f785553f74b3d373ba397a50f3594ce4032ab60d06e279134e19e992d17bc8f55b723b1e46f79150a5e8640a130b50

Download Submit
memory/756-62-0x0000000000000000-mapping.dmp

Download
memory/1680-54-0x0000000000000000-mapping.dmp

Download
memory/1680-55-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/1680-56-0x0000000074F20000-0x000000007536F000-memory.dmp

Filesize
4.3MB

Download
memory/1680-57-0x0000000074AD0000-0x0000000074F1F000-memory.dmp

Filesize
4.3MB

Download
memory/1680-58-0x0000000074AD0000-0x0000000074F1F000-memory.dmp

Filesize
4.3MB

Download
memory/1680-61-0x0000000074AD0000-0x0000000074F1F000-memory.dmp

Filesize
4.3MB

Download
memory/1708-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads